SETIT 2007

4th International Conference: Sciences of Electronic,

Technologies of Information and Telecommunications
March 25-29, 2007 – TUNISIA

Fuzzy approach for 802.11 wireless intrusion detection

H.BELLAAJ*, ***, R.KETATA**, *** A.HSINI
*
Military Academy of Fondouk Jedid Nabeul Tunisia
bellaaj@yahoo.fr
**
National Institute of Applied Science and Technologies of Tunis , Tunisia
raouf.ketata@insat.rnu.tn
***
Research unit on Intelligent Control and Optimization of Complex System (ICOS)
National Engineering School of Sfax, BP.W, 3038, Sfax Tunisia

Abstract: This paper proposes a new fuzzy logic approach to perform analysis and detection intrusion in 802.11
wireless networks. The algorithm consists of five steps: First, construct the networks and generate many cases of daily
traffic and intrusion. In the same time, catch different values of system and network parameters and associate to them a
potential degree of severity alarm. Second, generate fuzzy rules from numerical data using Mendel Wang method.
Third, implement a new rule base on each computer and start system; then adjust it to catch parameters cyclically and
compute severity alarm. If it detects intrusion, then it will send a message to every network node. Fourth, in case of
errors or no system response would start learning mechanism by injection of numerical values and generate fuzzy rules.

Key words: Fuzzy logic, Network security, Wireless intrusion detection.

need of an access point; given that they do not

INTRODUCTION
Recently, there has been a growing interest in the
use of wireless LAN (WLAN) technology. Examples
of applications range from standard Internet services,
such as Web access, to real-time services with strict
latency/throughput requirements, such as multimedia
video and voice over IP (VoIP). Future applications
will be more demanding and may include high
definition television (HDTV) and audiovisual support
[N.Ramos, & al. 10].
Different types of wireless networks are now
available:
– WPANS: Wireless Personal Area Networks
(802.15 Bluetooth): The two current technologies
for wireless personal area networks are Infra Red
(IR) and Bluetooth (IEEE 802.15). These will
allow the connectivity of personal devices within
an area of about 30 feet. However, IR requires a
direct line of site and the range is less.
– WLANS: Wireless Local Area Networks (802.11):
allow users in a local area, such as a university
campus or library, to form a network or gain
access to the internet. A temporary network can
be formed by a small number of users without the
need access to network resources.
– WMANS: Wireless Metropolitan Area Networks
(802.16): This technology allows the connection
of multiple networks in a metropolitan area such
as different buildings in a city, which can be an
alternative or backup to laying copper or fibre
cabling.
– WWANS: Wireless Wide Area Networks (802.20):
These types of networks can be maintained over
large areas, such as cities or countries, via
multiple satellite systems or antenna sites looked
after by an ISP. These types of systems are
referred to as 2G (2nd Generation) systems.
With the increased usage of wireless LANs,
network security has become a major issue. Three
major methods are available:
– Service Set Identifier (SSID), logical network
names in the wireless LAN
– Access Control List (ACL) or Media Access
Control (MAC) – filtering, this means
identification of the WLAN clients via their MAC
address (worldwide unique identification number
of the network card)
– Wired Equivalent Privacy (WEP), encryption
standard in WLANs

-1-
SETIT2007
As, Wired Equivalent Privacy (WEP) has been
proved vulnerable to attacks, it is necessary to monitor
the activities of the wireless LAN. Network probes or
scans attempt to discover vulnerabilities and network
probes are attempting to find open doors for future
attacks if the network probe returns positive results for
the hacker [D. Dasgupta & al. 04].
This work is motivated by the fact that most
existing intrusion detection systems (IDSs) fail to
detect many cyber attacks because they lack intelligent
techniques to make correct decisions in detecting
distributed attacks [D. Dasgupta & al. 04]. Only
intrusion in WLANS will be treated.
Our solution consists of fuzzy approaches by
construct network; generate daily traffic and different
cases of intrusion. Then, assign to different numerical
values a degree of severity alarm. Generate fuzzy rules
by Mendel Wang method. Implement rule base on
each PCs and start system. Its works consist of
catching traffic and system parameters. Finally
compute severity alarm. In case of intrusion send a
message for every network nodes.
The remainder of this paper is organized as
follows: In section II, a brief review of the 802.11
norm. In section III, security problems are presented.
Next discussion of network security attacks and
detection of intrusion tools are presented in section IV
and V. A fuzzy system and Mendel Wang method are
presented in section VI. After that, system architecture
and algorithms is presented in section VII, followed
by possible results discussed in section VIII. Finally,
we present our conclusion.
1. IEEE 802.11 wireless network
architecture
The IEEE 802.11 standard permits devices to
establish either peer-to-peer (P2P) networks or
networks based on fixed access points (AP) with
which mobile nodes can communicate. Hence, the
standard defines two basic network topologies: the
infrastructure network and the ad hoc network. The
infrastructure network is meant to extend the range of
the wired LAN to wireless cells. A laptop or other
mobile devices may move from cell to cell (from AP
to AP) while maintaining access to the resources of the
LAN. A cell is the area covered by an AP and is called
a “basic service set” (BSS). The collection of all cells
of an infrastructure network is called an extended
service set (ESS). This first topology is useful for
providing wireless coverage of buildings or campus
areas. By deploying multiple APs with overlapping
coverage areas, organizations can achieve broad
network coverage. WLAN technology can be used to
replace wired LANs totally and to extend LAN
infrastructure.
A WLAN environment has wireless client
stations that use radio modems to communicate to an
-2-
AP. The client stations are generally equipped with a
wireless network interface card (NIC) that consists of
the radio transceiver and the logic to interact with the
client machine and software. An AP comprises
essentially a radio transceiver on one side and a bridge
to the wired backbone on the other. The AP, a
stationary device that is part of the wired
infrastructure, is analogous to a cell-site (base station)
in cellular communications. All communications
between the client stations and between clients and the
wired network go through the AP.
Although most WLANs operate in the
“infrastructure” mode and architecture described
above, another topology is also possible. This second
topology, the ad hoc network, is meant to easily
interconnect mobile devices that are in the same area
(e.g., in the same room). In this architecture, client
stations are grouped into a single geographic area and
can be Internet-worked without access to the wired
LAN (infrastructure network). The interconnected
devices in the ad hoc mode are referred to as an
independent basic service set (IBSS).
The ad hoc configuration is similar to a peer-
to-peer office network in which no node is required to
function as a server. As an ad hoc WLAN, laptops,
desktops and other 802.11 devices can share files
without the use of an AP.
2. Security problems of 802.11 network
Matthew Gast explains in [M.Gast 09b] seven
points security problems of 802.11 network wireless:
– Problem 1: Easy Access
– Problem 2: "Rogue" Access Points
– Problem 3: Unauthorized Use of Service
– Problem 4: Service and Performance Constraints
– Problem 5: MAC Spoofing and Session Hijacking
– Problem 6: Traffic Analysis and Eavesdropping
– Problem 7: Higher Level Attacks
3. Network security attacks
Network security attacks are typically divided
into passive and active attacks. These two broad
classes are then subdivided into other types of attacks.
All are defined below.
3.1. Passive attack
An attack in which an unauthorized party gains access
to an asset and does not modify its content (i.e.,
eavesdropping). Passive attacks can be either
eavesdropping or traffic analysis (sometimes called
traffic flow analysis). These two passive attacks are
described below.
– Eavesdropping: The attacker monitors
transmissions for message content. An example
of this attack is a person listening to the
transmissions on a LAN between two
workstations or tuning into transmissions
between a wireless handset and a base station.
– Traffic analysis: The attacker, in a more subtle
SETIT2007
way, gains intelligence by monitoring the
transmissions for patterns of communication. A
considerable amount of information is
contained in the flow of messages between
communicating parties.
Figure 1 provides a general taxonomy of security
attacks to help organizations and users understand
some of the attacks against WLANs [T.Karygiannis, &
al. 11].
Figure 1 : Taxonomy of Security Attacks
3.2. Active attack
An attack where by an unauthorized party makes
modifications to a message, data stream, or file. It is
possible to detect this type of attacks but it may not be
preventable. Active attacks may take the form of one
of four types (or combination thereof): masquerading,
replay, message modification, and denial-of-service
(DoS). These attacks are defined below.
– Masquerading: The attacker impersonates an
authorized user and thereby gains certain
unauthorized privileges.
– Replay: The attacker monitors transmissions
(passive attack) and retransmits messages as the
legitimate user.
– Message modification: The attacker alters a
legitimate message by deleting, adding to,
changing, or reordering it.
– Denial-of-service: The attacker prevents or
prohibits the normal use or management of
communications facilities.
The risks associated with 802.11 are the result of
one or more of these attacks. The consequences of
these attacks include, but are not limited to, loss of
proprietary information, legal and recovery costs,
tarnished image, and loss of network service.
4. Detection of intrusion in the wireless
network
A recent study in [Y.X.Lim & al. 12] show that there
exist a few products that perform the intrusion
detection and active response roles for the above
attacks. However, none provide adequate protection
for wireless networks, especially for larger
deployments.
AirDefense [Air Defense Inc 01] is a complete
hardware and software system consisting of sensors
deployed throughout the network, which are interfaced
to a management appliance, and adminstered by a
-3-
management console. Their starter kit provides five
sensors and can guard up to ten access points (APs).
AirDefense detects intruders and attacks and also
diagnoses potential vulnerabilities in the network like
misconfigurations [Y.X.Lim & al. 12].
Another commercial product is AirMagnet
[AirMagnet 02] which runs on laptops or handhelds
and also includes a Cisco wireless card in the package.
Like AirDefense, it incorporates detection of
vulnerabilities and intrusions. For intrusions,
AirMagnet detects unauthorized APs and clients and
DoS attacks by flooding. A similar product is
Surveyor Wireless [Finisar 05]. These software
products require a technician to move around the
network to detect possible security threats.
Interestingly, this software may also be used by an
intruder, though such use is unlikely because of the
high price [Y.X.Lim & al. 12].
One non-commerical product is Fake AP [Black
Alchemy Enterprises 03]. Fake AP is a simple Linux
program that simulates a user-specified list of APs by
broadcasting IEEE 802.11b beacon frames. This
potentially confuses an intruder passively sniffing the
network. The program is available freely under the
GNU Public License (GPL) [Y.X.Lim & al. 12].
AirSnare [J. L. DeBoer 07] is a program for Windows
that detects DHCP requests or unauthorized MAC
addresses attempting to connect to an AP. Intrusion
response consists of an alert to the administrator and
optional message is sent to the intruder via Windows
netmessage. AirSnare has a non-commercial license
[Y.X.Lim & al. 12].
5. Fuzzy logic
Sensed by the philosopher Max Black since
1937, the concept of fuzzy logic is really introduced in
1965 by Lotfi Zadeh. He made a comparison between
the computers of the era and the human reasoning (the
comparisons always valid); If a computer calculates
much more quickly in a rigorous way, its abilities to
reflect and learn are limited. Moreover, its rigidity as a
machine and its binary operation do not let it adapt to
certain tasks, which seem to be simple to human
beings.
The principle of fuzzy logic is attributed to the fact
that boolean variable which can take only two values
(True or False) is badly adapted to the human
knowledge. Although the traditional logic considers
that a proposal is either true or false, the fuzzy logic
distinguishes indefinite values of truth (between 0 and
1). [H.N.V.Havinga & al. 06]
Fuzzy logic systems use membership functions and
rules collection. They transform the input variables
into fuzzy terms. The latter are used at the execution
of rules formulated by linguistic expressions. Often
fuzzy systems transform linguistic conclusions into
output variables.
SETIT2007
Figure 2: General architecture of an expert system
Figure 2 describes different operations for inference
mechanism. We distinguish: fuzzification, inference,
composition and defuzzification.
5.1. Fuzzification
Once the variables, the linguistic sets and the
connection between them are defined, we present the
input parameters to the membership function which
describes one or more linguistic terms. This can be
done by the projection of input value on the curves
representing membership function or by direct
calculation. As a result, we obtain one or many
linguistic terms witch are associated with the
membership degree.
5.2. Inference
This step consists of generating the fuzzy output
variables by the rules application. Through the
calculation of the degree of truth of the premises of
these latter, new membership functions are also
generated with the indication of the degree of truth of
the obtained variables. This step corresponds in
general to the Min or Product functions.
5.3. Composition
In this step, which is also called aggregation of
rules, all fuzzy sets assigned to the conclusion part of
the rules after inference, is combined to form only one
fuzzy subset. A new membership function is then
created. In general we use Sum or Max function.
5.4. Defuzzification
Sometimes it is possible to examine just fuzzy set
of output variables which are the result of the
composition process. Often these fuzzy values need to
be converted into a singular number. This is the reason
of the defuzzification process. Several methods of
defuzzification exist. The center of gravity and the
Max methods are the two most prevalent techniques.
In the first, output variables are calculated by the
research of gravity center of the membership function
of the fuzzy value. In the second method, one of the
variables in which the fuzzy subset is in its maximum
value of truth, is selected.
6. Generating fuzzy rules from numerical
data
To design a control system, first we need to see
what information is available. We assume that there is
no mathematical model, i.e., we consider a model free
design problem. Since there is already a human
controller who is successfully controlling the system,
two kinds of information are available to us: 1) first
the experience of the human controller; seconds
sampled input output (state-control) pairs that are
recorded from successful control by the human
-4-
controller. The experience of the human controller is
usually expressed as some linguistic “IF-THEN” rules
that state in what situation(s), which action(s) should
be taken. The sampled input-output pairs are some
numerical data that give the specific values of the
inputs and the corresponding successful outputs [L.-
X.Wang & al. 08] .
Each of the two kinds of information alone is
usually incomplete. Although the system is
successfully controlled by a human controller, some
information will be lost when human controllers
express their experience by linguistic rules.
Consequently, linguistic rules alone are usually not
enough for designing a successful control system. On
the other hand, the information from sampled input-
output data pairs is also usually not enough for a
successful design, because the past operations usually
cannot cover all the situations the control system will
face [L.-X.Wang & al. 08] .
This method developed in [L.-X.Wang & al. 08]
by Mendel and Wang consist of generating fuzzy rules
from numerical data pairs, collecting these fuzzy rules
and the linguistic fuzzy rules into a common fuzzy
rule base and finally designing a control or signal
processing system based on the combined fuzzy rule
base. A five step procedure for generating fuzzy rule
from numerical data pairs was proposed:
Step 1: divide the input and output spaces of the given
numerical data into fuzzy regions.
Step 2: generate fuzzy rules from the given data; first
determine the degrees of given data in different
regions. Second assign it to the region with maximum
degree. Finally obtain one rule from one pair of
desired input / output data.
Step 3: assign a degree of truth to each of the
generated rules for the purpose of resolving conflicts
among the generated rules.
Step 4: create a combined fuzzy rule base based on
both the generated rules and linguistic rules of human
experts.
Step 5: determine a mapping from input space to
output space based on the combined fuzzy rule base
using a deffuzification procedure.
7. Proposed approach
In this approach, we have been inspired by the
work of D. Dasgupta and al. in [D. Dasgupta & al.
04]. It consists of an agent-based approach for
monitoring and detecting different kinds of attacks in
wireless networks. The long-term goal of this research
is to develop a self-adaptive system that will perform
real-time, monitoring, analysis, detection, and
generation of appropriate responses to intrusive
activities. Its approach supposes existing of manager
agent. This can present different defaults like these
SETIT2007

problems or disconnection of this station. 7.4. Generating fuzzy rules base

Our approach consists of implementing same
system in each node. We use only one station in rule
base creation. Next we present given systems and
networks parameters. Fuzzy member ship functions
and traffic generation condition are exposed. Then, we
discuss generating rules and implementation process,
learning algorithm. Finally, we present the architecture
of the system.
7.1. System and network parameters
To choose fuzzy parameters judiciously, a whole
survey can be done in order to optimize the compute
time. This survey will be the topic of a future work. In
this approach we have made some tests through which
we have selected 6 entry parameters:
We use Mendel Wang method for generating
fuzzy rules base from numerical data. Efficiency of
this algorithm depends on choice of fuzzy membership
function and numerical data extracted. Generating
algorithm is implemented in each node, this, for
catching maximum data values and tests cases. We
start with 200 values which generate about 30 rules.
7.5. Implementation of rule base and system work
Basic architecture of the system is given in
figure 4.

- PN : Process number
- OctRecN : Received octet number
- OctSentN : Sent octet number
- PktRecN : Received packet number
- PktSentN : Sent packet number
- BW : Band width

7.2. Membership functions Figure 4: Wireless intrusion detector architecture

Triangular membership functions are chosen.
Limits for each function are adjusted after different
tests. Figure 3 presents membership function for
received octet number parameter.
Actually system is composed of two principal
components: one for generating fuzzy rules and the
other for detection intrusion. These two parts use
SNMP server for detecting parameters values.

Figure 3: OctRecN member ship function
7.3. Traffic generation
For traffic generation, different cases are
considered. Five scenario tests are realized. It consists
of different cases of use. Results depend on daily
traffic network and the nature of application. This step
must be treated in each network before starting the
system in each node. In our case we consider a
network with six nodes. Traffic generation
corresponds to research unit flow. One of these
scenarios consists of:
- starting six PCs in network
- starting many applications (Matlab, oracle,
jbuilder, …) in different nodes
- starting downloads operations
- starting active intrusion
- catching different values and assigning to
them a high severity alarm (In this case 5)
7.6. Learning
In the case where the system can’t respond or
gives wrong results, we can take a learning process.
This consists of catching values of each parameter.
Assign to them a severity degree of alarm. Start a
generating fuzzy rules algorithm and implementing
this rule in data base. The result of this operation must
be injected in each wireless intrusion detector.
8. Application results
Twice of the obtained rules from initial
retained numerical data are:
• if PN is Low and OctRecN is Low and
OctSentN is Low and BW is Low and
PktRecN is Low and PktSentN is Low then
SA is Low
• if PN is Medium high and OctRecN is
Medium Low and OctSentN is High and BW
is Medium and PktRecN is Medium and
PktSentN is Medium then SA is High
Where SA is the severity alarm
Figure 5 and 6 presents the evolution of parameter
PN and PktSentN. Through it, we can distinguish
different scenarios of network works: low and high
traffic.

-5-
SETIT2007
Figure 5: Evolution of parameter PN
Figure 6: Evolution parameter PktSentN
Application results are illustrated in figure 7. One
notice, that the answer of the system closes enough to
the desired answer. The difference can be explained by
the fact that the generated rules depend strongly on
tests scripts established again. Indeed, one take
generation of a daily traffic as a basis which can be
destabilized by a simple heavy downloading.
Figure 7: Wireless intrusion detector architecture
We notice in some cases that the elevation of the
tests scripts improves considerably the gotten results.
It will be the subject of our future work. Now, one can
evaluate the rate of success of this system to 14/20
almost 70%.
Mathematically, in certain case the system cannot
answer. This is mainly when we are considerably out
of tests achieved for rules generation. The system is
then brought to apply the procedure of training that
-6-
was explained previously.
9. Conclusion
This work is one of many different first steps for
wireless network intrusion detection.
Our proposition consists, in generation of fuzzy
rules from numerical data. These latter are not
anything other than the translation of the daily traffic
with assignment of alarm degree. Once the rule basis
is generated, it is implemented in each station of the
network. If alarm is detected, a message will be
transmitted to each node. An approach of training is
foreseen. The solution is currently proposed in ad hoc
mode. It is however expandable.
Some conclusions can be discussed:
- In the inverse of existent methods, the new
technique uses a human logic and can be
performed for a specific use. This means
adjustment and definition of membership
function of each variable specifically for the
average traffic of the network. A high study of
different combination of parameters which can
influence the network can attempt to a best
tools for intrusion detection.
- Obtained results depend on tests scenarios and
recovered numerical data. In fact, we can speak
about special tool which jugged abnormal
traffic compared to the daily
- Adjustment and gait of fuzzy membership
function can be a subject of study to optimize a
system response.
Different possibility of improvement of
performance is actually discussed. In fact we can
behave in three different layers:
• Generation of numerical data: we will
examine the possibility of using TSK fuzzy
models. The learning of TSK parameters will
be done with gradient descent method.
• Comparative study between networks
parameters: One approach is to use different
combination of network parameters to find
the best significant variables for each case of
networks.
• Working on line: this means that the system
in arrive of new data pair can be learning by
generating new rules (Mamdani case) or
adjusting TSK parameters or adjusting
membership functions.
REFERENCES
[Air Defense Inc 01] Wireless LAN Security for the
Enterprise Air Defense, [Website], [cited 2003 Jan 30],
Available HTTP: http://www.airdefense.net/
SETIT2007

[AirMagnet 02] Air Magnet [Website], [cited 2003

Jan 30], Available HTTP:
http://www.airmagnet.com/
[Black Alchemy Enterprises 03] Black Alchemy
Weapons Lab: Fake AP, Black Alchemy
Enterprises, [Online document], 2002 Oct 12,
[cited 2003 Jan 30], Available HTTP:
http://www.blackalchemy.to/Projects/fakeap/fake-
ap.html
[D. Dasgupta & al. 04] MMDS: Multilevel
Monitoring and Detection - System proceedings of
the 15th Annual Computer Security Incident
Handling Conference (FIRST), Ottawa, Canada
June 22-27, 2003
[Finisar 05] Surveyor Wireless, Finisar, [Website],
[cited 2003 Jan 30], Available HTTP:
http://www.gofinisar.com/index.html
[H.N.V.Havinga & al. 06] Fuzzy Logic - Delft
University Technology of, 1999.
[J. L. DeBoer 07] Digital Matrix – AirSnare Digital
Matrix, [Online document], [cited 2003 Jan 30],
Available HTTP:
http://home.attbi.com/~digitalmatrix/airsnare/
[L.-X.Wang & al. 08] Generating fuzzy rules by
learning from examples IEEE Trans. Syst., Man,
Cybern., vol. 22, pp. 1414–1427, Nov./Dec. 1992.
[M.Gast 09a] 802.11 Wireless Networks: The
Definitive Guide Creating and Administering
Wireless Networks. Oreilly Edition April 2002
[M.Gast 09b] Seven Security Problems of 802.11
Wireless. Oreilly Edition 2002
[N.Ramos, & al. 10] Quality of Service Provisioning
in 802.11e Networks: Challenges, Approaches, and
Future Directions - IEEE Network • July/August
2005 University of California at San Diego
[T.Karygiannis, & al. 11] Wireless Network Security
802.11, Bluetooth and Handheld Devices.
Computer Security Division Information
Technology Laboratory National Institute of
Standards and Technology Gaithersburg, MD
20899-8930 November 2002
[Y.X.Lim & al. 12] Wireless Intrusion Detection and
Response Proceedings of the 2003 IEEE Workshop
on Information Assurance United States Military
Academy, West Point, NY June 2003
[Z.Tabona 13] An Introduction to Wireless
Networking – Windows networking.com May
2005

-7-